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DETAILED ACTION 

1. This action is responsive to communication: 28 December 2004, the original application 
was filed on 1 December 2000 with a continuing application priority date of 09 May 2000, 

2. Claims 1-54 are currently pending in this application. Claims 1, 16, 19, 26, 40, 43, 50, 
53, and54 are independent claims. 

Response to Arguments 

3. Applicant's arguments with respect to claims 1-54 have been considered but are not 
persuasive. 

In response to applicant's argument beginning on page 2, "It contains no teaching or 
suggestion of assigning non-uniform privacy policies to resources of a given enterprise as 
required by claim 1, nor is such teaching or suggestion to bound anywhere else in Hunt". The 
Office disagrees the assigning on non-uniform privacy policies is inherent in col. 2, lines 61-64 
"Preferably, the method includes the step of accepting user inputs which define a privacy policy 
in relation to the user's personal data which describes the extent to which the personal data is to 
be released for the purpose of submitting a registration application" and it is later explained in 
col. 4, lines 5-8 "private policy, can review what data has been given out and to whom". 

In response to applicant's argument on page 3, "There is no mention in this passage, or 
anywhere else in Hunt, of any sort of hierarchical node structure or specifically, of determination 
of privacy policies at different nodes based on a hierarchy of private rules". The Office 
disagrees see col. 7, lines 52-65 "The information may be grouped into different categories, for 
example: 1. basic information (name, email address); 2. professional contact information (work 
address and phone number, etc); 3. personal contact information (home address, etc) ... For each 
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information group, the user chooses an information policy". This has the same meaning as 
"hierarchical of private rules", i.e. 'group/categories and user chooses information policy'. 

In response to applicant's argument on page 4, "It makes no mention of "intercepting a 
request from an application" and then "querying the application to determine its compliance with 
the [enterprise] privacy policies". The Office disagrees intercepting requests is shown in col. 2, 
line 66 through col. 3, line 9 "Preferably, the method includes the step of providing a unique 
proxy address for the user in registration application so that communications addressed to the 
user using the unique address are received by the at least one registration agreement computer or 
registration agent server and are subsequently forwarded to the user". In addition querying 
applications ... is shown in col. 5, lines 37-50 "analyzing the site's data requirements and forms 
handling system (in other words, what data do they want from the user and how does their 
registration system work?) ... identifying an resolving conflicts between the user's privacy 
preferences and the site's policies". 

Claim Rejections - 35 USC §102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language 

5. Claims 1-12, 14-36, 38-54 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Hunt et al. U.S. Patent No. 6,496,855 (hereinafter '855). 
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As to independent claim 1, "A method for privacy management, comprising: 
providing a linked collection of interactive resources through which a user is able to 
exchange information with an enterprise that provides the resources; assigning respective, 
non-uniform privacy policies to at least some of the resources regarding use of the 
information that is exchanged through the resources; providing to the user accessing a 
given one of the resources the respective privacy policy for that resource; and exchanging 
with the user at least a portion of the information that is associated with the given one of 
the resources, subject to the provided privacy policy" is taught in '855 col. 2, 
lines 31-65. 

As to dependent claim 2, "wherein exchanging the information with the 
user comprises receiving private information submitted to the enterprise by the 
user" is shown in '855 col. 2, lines 5-16. 

As to dependent claim 3 "wherein receiving the private information 
comprises receiving the user's agreement to the privacy policy, and recording the 
private information together with an indication of the privacy policy agreed upon" 
is disclosed in '855 col. 2, lines 19-33. 

As to dependent claim 4, "and comprising: intercepting a request from an 
application to use the private information received from the users; querying the 
application to determine its compliance with the privacy policy subject to which 
the requested information was received; and providing the requested information 
subject to the compliance of the application with the privacy policy" is taught in 
'855 col. 5, lines 37-67. 
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As to dependent claim 5, "wherein assigning the non-uniform privacy 
policies comprises assigning a first privacy policy to a first one of the resources 
and a second, different privacy policy to a second one of the resources" is shown 
in '855 col. 7, lines 52-65. 

As to dependent claim 6, "wherein providing the linked collection of 
interactive resources comprises arranging the resources in a hierarchy of nodes 
that comprises a root node, such that each of the nodes except for the root node 
has a parent node in the hierarchy, and wherein assigning the non-uniform 
privacy policies comprises assigning to each of at least some of the nodes, 
including the nodes associated with the first and second resources, one or more 
respective privacy rules regarding use of the information that is associated with 
the node, and setting for each of the nodes a node privacy policy that comprises 
the privacy rules assigned to the node combined, for each of the nodes except 
the root node, with the node privacy policy of its parent node" is disclosed in '855 
col. 7, lines 52-65. 

As to dependent claim 7, "wherein providing the privacy policy to the user 
comprises informing the user who has exchanged the information associated 
with the first resource subject to the first privacy policy of a difference in the 
second privacy policy relative to the first privacy policy before exchanging the 
information associated with the second resource" is taught in '855 col. 5, 
lines 44-45. 



Application/Control Number: 09/728,661 Page 6 

Art Unit: 2134 

As to dependent claim 8, "wherein assigning the non-uniform privacy 
policies comprises assigning an initial privacy policy to one of the resources, and 
subsequently making a change in the initial privacy policy so as to assign a 
modified privacy policy to the resource, and wherein providing the privacy policy 
to the user comprises informing a user who has exchanged information with the 
resource subject to the initial privacy policy of the change" is shown in col. 3, 
lines 52-67. 

As to dependent claim 9, "wherein informing the user comprises prompting 
the user to provide an input to indicate whether the user accepts or rejects the 
change" is disclosed in '855 col. 5, lines 44-45. 

As to dependent claim 10, "wherein assigning the privacy policies 
comprises storing the privacy policies in a computer server belonging to the 
enterprise, and wherein providing the privacy policy to the user comprises 
intercepting a request by the user to access the given resource and providing the 
privacy policy for the resource responsive to the request" is shown in '855 col. 2, 
lines 6-33. 

As to dependent claim 11, "wherein the collection of resources comprises 
a collection of Web pages accessible through a Web site of the enterprise" is 
disclosed in '855 col. 2, lines 36-46. 

As to dependent claim 12, "wherein providing the privacy policy comprises 
conveying the policy in a standard form for presentation by a Web browser" is 
taught in '855 col. 5, line 55 through col. 6, line 5. 
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As to dependent claim 14, "wherein assigning the non-uniform privacy 
policies comprises determining a rating for each of the policies based on a 
predetermined rating scale" is shown in '855 col. 6, lines 44-64. 

As to dependent claim 15, "wherein assigning the non-uniform privacy 
policies comprises defining first and second user classes and defining, for a 
given one of the resources, different first and second privacy policies, 
respectively, for the first and second user classes, and wherein providing the 
privacy policy to the user comprises determining whether the user belongs to the 
first or second class, and providing the first or the second privacy policy 
accordingly" is disclosed in '855 col. 7, lines 52-65. 

As to independent claim 16, "A method for privacy management, 
comprising: arranging a body of information in a hierarchy of nodes that 
comprises a root node, such that each of the nodes except for the root node has 
a parent node in the hierarchy; assigning to each of at least some of the nodes 
one or more respective privacy rules regarding use of the information that is 
associated with the node; setting for each of the nodes a node privacy policy that 
comprises the privacy rules assigned to the node combined, for each of the 
nodes except the root node, with the node privacy policy of its parent node" is 
taught in '855 col. 7, lines 52-65; 

"providing to a user who accesses a given one of the nodes the node 
privacy policy for that node; and exchanging with the user at least a portion of 
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the information that is associated with the given one of the nodes, subject to the 
provided privacy policy" is shown in '855 col. 6, lines 44-64. 

As to dependent claims 17, 18 these claims are substantially similar to 
claims 2, 11 therefore they are rejected along the same rationale. 

As to independent claim 19, "A method for privacy management, 
comprising: providing a linked collection of interactive resources through which 
a user is able to exchange information with an enterprise that provides the 
resources, at least some of the resources having privacy policies associated 
therewith regarding use of the information that is exchanged through the 
resources; receiving information from users who access the resources subject to 
the privacy policies" is disclosed in '855 col. 2, lines 31-65; 

"intercepting a request from an application to use the information received 
from the users; querying the application to determine its compliance with the 
privacy policies subject to which the requested information was received; and 
providing the requested information subject to the compliance of the application 
with the privacy policies" is taught in '855 col. 5, lines 37-50. 

As to dependent claims 20-24 these claims are substantially similar to 
claims 11, 5, 6, and 7 therefore they are rejected along the same rationale. 

As to dependent claim 22, "wherein providing the requested information 
comprises checking the compliance of the application with the privacy rules 
respectively applicable to each of the items of the information requested by the 
application" is shown in '855 col. 7, lines 52-65. 
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As to dependent claim 25, "and comprising making a record of the request 
and of the information provided responsive thereto in a log for review in a 
subsequent privacy audit" is disclosed in '855 col. 3, lines 58-67. 

As to independent claim 26, this claim is directed to the apparatus of the 
method of claim 1 and is rejected along the same rationale. 

As to dependent claims 27-36, 38, and 39 these claims are substantially 
similar to claims 2-12 and 14; therefore they are rejected along the same 
rationale. 

As to independent claim 40, this claim is directed to the apparatus of the 
method of claim 16 and is rejected along the same rationale. 

As to dependent claims 41 and 42 these claims are substantially similar to 
claims 2 and 11; therefore they are rejected along the same rationale. 

As to independent claim 43, this claim is directed to the apparatus of the 
method of claim 19 and is rejected along the same rationale. 

As to dependent claims 44 and 45 these claims are substantially similar to 
claims 11 and 5; therefore they are rejected along the same rationale. 

As to dependent claim 46, "wherein the server is arranged to check the 
compliance of the application with the privacy rules respectively applicable to 
each of the items of the information requested by the application" is taught in '855 
col. 5, lines 37-65. 

As to dependent claim 47, "wherein when the server is arranged, upon 
determining that the application does not comply with the rules respectively 
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applicable to a given one of the items, to refuse to provide the requested 
information with respect to the given item, while providing information regarding 
another of the items with respect to which the application does comply with the 
respectively applicable rules" is shown in '855 col. 3, lines 61-67 and col. 5, lines 44- 
45. 

As to dependent claim 48, "wherein the server is arranged to receive the 
items from first and second ones of the users subject to respective first and 
second privacy policies, and to check the compliance of the application with both 
the first and the second privacy policies" is disclosed in col. 7, lines 62-65. 

As to dependent claim 49, "wherein the server is adapted to make a record 
of the request and of the information provided responsive thereto in a log for 
review in a subsequent privacy audit" is taught in col. 3, lines 57-61. 

As to independent claim 50, this claim is directed to the computer software 
of the method of claim 1 and is rejected along the same rationale. 

As to dependent claims 51 and 52 these claims are substantially similar to 
claims 2, 3, and 11; therefore they are rejected along the same rationale. 

As to independent claim 53, this claim is directed to the computer software 
of the method of claim 16 and is rejected along the same rationale. 

As to independent claim 54, this claim is directed to the computer software 
of the method of claim 19 and is rejected along the same rationale. 
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Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived 
by the manner in which the invention was made. 

6. Claims 13 and 37 are rejected under 35 U.S.C. 103(a) as being unpatentable over '855 as 
applied to claims 1 and 26, in further view of Barrett et al. U.S. Patent No. 6,581,059 
(hereinafter '059). 

As to dependent claim 13, the following is not taught in '855 "wherein the 
standard form comprises a from specified by the Platform for Privacy Preferences 
Project (P3P)" however '059 teaches "The information communication protocol 
and information ontology are based upon the W3C's P3P specification. The 
W3C;s P3P specification" in col. 5, lines 45-47. 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify the teachings of '855, a Web site regitration proxy system to include the use of P3P 
format. One of ordinary skill in the art would have been motivated to perform such a 
modification to expand the use of the internet as indicated by '059 (see col. 1, lines 65 et seq.) 
Recently, a protocol known as Platform for Privacy Preferences Project (P3P) has been proposed 
by the World Wide Web Consortium (W3C). The P3P protocol enables World Wide Web sites to 
inform a user of a web browser of a Web sites privacy practices and allow the user of the web 
browser to exercise preferences based upon those practices". 
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As to dependent claim 37, this claim is substantially similar to claim 13 and therefore 
is rejected along the same rationale. 



Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as 
set forth in 37 CFR 1 .136(a). A shortened statutory period for reply to this final action is set to 
expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed 
within TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened 
statutory period will expire on the date the advisory action is mailed, and any extension fee 
pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In 
no event, however, will the statutory period for reply expire later than SIX MONTHS from the 
mail ing date of this final action. 

6. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ellen C Tran whose telephone number is 
(571) 272-3842. The examiner can normally be reached from 6:30 am to 3:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory A Morse can be reached on (571) 272-3838. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
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may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 

applications is available through Private PAIR only. For more information about the PAIR 

system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 

system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Ellen Tran 
Patent Examiner 
Technology Center 2134 

13 April 2005 * 
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SUPERVISORY PATENT EXAMINER 
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